At the DerbyCon security conference last week, a security researcher showed how DLL injection can be used by ransomware to bypass the Controlled Folder Access ransomware protection feature.

To do this, Aoyama relied on the fact that when explorer.exe starts, it will load DLLs found under the HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers registry key shown below. [...]

This means that if a key exists in HKCU, it would take precedence over the same key in HKLM, and be the data merged into the HKEY_CLASSES_ROOT tree. I know this can be a bit confusing, so you can read this document for more information.

Now when Explorer.exe is killed and restarted, the malicious DLL will be launched inside explorer.exe rather than Shell.dll. You can see an example of the DLL injected into explorer.exe below. [...]

Microsoft, though, did not feel that this was a vulnerability that warranted a bounty or that requires a patch.​

Click to expand...

What this does allow, is for malware to be installed without administrative privileges and still be able to bypass the ransomware protection of Controlled Folder Access. This does not sound like a good thing.

A security researcher has found a way to bypass the "Controlled Folder Access" feature added in Windows 10 in October 2017, which Microsoft has touted as a reliable anti-ransomware defensive measure.

But Yago Jesus, a Spanish security researcher with SecurityByDefault, has discovered that Microsoft has automatically whitelisted all Office apps on this list. This means that Office apps can modify files located in a CFA folder, either the user likes it or not.

Jesus said he notified Microsoft about the issue he discovered. In a screenshot of the email he received from Microsoft, Jesus said the OS maker didn't classify the issue as a security vulnerability but said it would improve CFA in future releases to address the reported bypass method.

Yeah, I said this would happen when they released this feature. This is why I did not enable it on ANY of the PCs I manage.

Click to expand...

This is no surprise at all, but apparently most ransomware doesn't use code injection? I do know they sometimes use process hollowing and from what I understood the "protected folders" feature did protect against this surprisingly. Actually, I don't know if Cruelsister did test this.

This technique will bypass the protected folders feature of all AVs. This kind of a feature will always be defeatable.
However, the newly improved Windows Defender ASR rules on Windows Pro 1809 with updates will default this technique. The ASR rules are not enabled by default, but they are there,

This is no surprise at all, but apparently most ransomware doesn't use code injection? I do know they sometimes use process hollowing and from what I understood the "protected folders" feature did protect against this surprisingly. Actually, I don't know if Cruelsister did test this.

Click to expand...

Most ransomware likely doesn't use code injection. That said, there are other things that do. I guess this is a ransomware discussion but it is far from my only concern.

Easiest way to prevent this bypass is to prevent explorer.exe from being terminated. Also this technique, explorer termination and restarting, has been used in the past by malware.

-EDIT- Scratch the above since it really isn't the problem. What the bypass is;

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32 key. To load the malicious DLL into explorer.exe instead, Aoyama simply created a HKCU\Software\Classes\CLSID\{90AA3A4E-1CBA-4233-B8BB-535773D48449}\InProcServer32 key and set its default value to the malicious DLL.

Click to expand...

requires monitoring of what is created in this registry key, HKCU\Software\Classes\CLSID\*. Appears that is feasible since all I have present in that key in Win 10 1803 are references to .dlls and .exe's loading from C:\Users\xxxxx\AppData\Local\Microsoft\OneDrive\18.131.0701.0007\amd64\ which does make one wonder since I have uninstalled OneDrive.

Also since this bypass requires registry modification, mitigations for that such as reg command usage and the like are also effective.

This bypass does have all the benefits that can be achieved via process hollowing without have to go through the effort to do so.

Most ransomware likely doesn't use code injection. That said, there are other things that do. I guess this is a ransomware discussion but it is far from my only concern.

Click to expand...

They probably don't use standard code injection because this can be spotted by HIPS. But this particular methods makes use of modifying a registry key, it's really ridiculous that this is possible in the Windows OS.